Twitter bug revealed some Android users’ private tweets

Twitter accidentally revealed some users’ “protected” (aka, private) tweets, the company disclosed this afternoon. The “Protect your Tweets” setting typically allows people to use Twitter in a non-public fashion. These users get to approve who can follow them and who can view their content. For some Android users over a period of several years, that may not have been the case — their tweets were actually made public as a result of this bug.

The company says that the issue impacted Twitter for Android users who made certain account changes while the “Protect your Tweets” option was turned on.

For example, if the user had changed their account email address, the “Protect your Tweets” setting was disabled.

We’ve become aware of and fixed an issue where the “Protect your Tweets” setting was disabled on Twitter for Android. Those affected have been alerted and we’ve turned the setting back on for them. More here: https://t.co/0qM5B1S393

— Twitter Support (@TwitterSupport) January 17, 2019

Twitter tells TechCrunch that’s just one example of an account change that could have prompted the issue. We asked for other examples, but the company declined to share any specifics.

What’s fairly shocking is how long this issue has been happening.

Twitter says that users may have been impacted by the problem if they made these account changes between November 3, 2014, and January 14, 2019 — the day the bug was fixed.

The company has now informed those who were affected by the issue, and has re-enabled the “Protect your Tweets” setting if it had been disabled on those accounts. But Twitter says it’s making a public announcement because it “can’t confirm every account that may have been impacted.” (!!!)

The company explains to us it was only able to notify those people where it was able to confirm the account was impacted, but says it doesn’t have a complete list of impacted accounts. For that reason, it’s unable to offer an estimate of how many Twitter for Android users were affected in total.

This is a sizable mistake on Twitter’s part, as it essentially made available to the public content that users had explicitly indicated they wanted private. It’s unclear at this time if the issue will result in a GDPR violation and fine as a result.

The one bright spot is that some of the impacted users may have noticed their account had become public because they would have received alerts — like notifications that people were following them without their direct consent. That could have prompted the user to re-enable the “protect tweets” setting on their own. But they may have chalked up the issue to user error or a small glitch, not realizing it was a system-wide bug.

“We recognize and appreciate the trust you place in us, and are committed to earning that trust every day,” wrote Twitter in a statement. “We’re very sorry this happened and we’re conducting a full review to help prevent this from happening again.”